News

P2P Breach Leads to Walter Reed Data Leak

An investigation launched Tuesday into the possible compromise of about 1,000 patient records at Walter Reed Army Medical Center serves as a stern reminder of how dangerous peer-to-peer (P2P) and other social networking applications can be, security experts warn.

The names, Social Security numbers and birth dates of the patients were among the personally identifiable information in a computer file that was shared without authorization, according to a statement made by the Washington, D.C. U.S. Army hospital.

The risk of data breaches will only increase as use of file-sharing software becomes prevalent in the workplace, according to Paul Zimski, vice president of product solutions for Scottsdale, Ariz.-based Lumension Security.

"What's alarming about this incident is that it's not something you can stop at the network level," Zimski said. "Even hard drive encryption doesn't really work because when you file share, default installers will share out your My Documents, as well as your settings and Windows files."

Security pros such as Zimski say that if internal policies and procedures, periodic security audits, or both automated and manual whitelisting of acceptable applications aren't deployed at different enterprises, intrusions from file sharing will not only be more frequent but more sophisticated.

For its part, Walter Reed said in its statement that the Health Insurance Portability and Accountability Act of 1996 "protects patients from unauthorized release of their health records." It added that the hospital has "a robust information assurance program that meets all program standards and requirements."

According to media reports early Tuesday, the military officer in charge of Walter Reed, Col. Patricia Horoho, circulated a memo asking managers to ensure that the staff was not "loading or downloading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected." The memo was reportedly posted on the Walter Reed Web site before being taken down.

Security experts say that in cases like these, relying on an "honor system" is not sound policy.

"I think this is absolutely a case where unacceptable software should have been listed and banned beforehand," Zimski said. "ISPs have been trying to deal with peer-to-peer incursions for a long time and what companies need to know is that these applications are real stealthy on the network and not easily defensible unless the enterprise-wide system is locked from the inside."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.